Download Wireless Network Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

Wake-on-LAN wikipedia , lookup

Zigbee wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Network tap wikipedia , lookup

Computer network wikipedia , lookup

Computer security wikipedia , lookup

Airborne Networking wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

IEEE 1355 wikipedia , lookup

Wireless USB wikipedia , lookup

Wi-Fi wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Policies promoting wireless broadband in the United States wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Transcript 
Lecture 24
Wireless Network Security
modified from slides of Lawrie Brown
Wireless and Mobile Networks
• # wireless (mobile) phone subscribers now
exceeds # wired phone subscribers (5-to-1)!
• # wireless Internet-connected devices equals #
wireline Internet-connected devices
– laptops, Internet-enabled phones promise
anytime untethered Internet access
• two important (but different) challenges
– wireless: communication over wireless link
– mobility: handling the mobile user who changes
point of attachment to network
Seems Inescapable by the Internet
• Wireless nodes will soon dominate the
Internet.
• Currently ~1B
nodes, including
wireline.
Urgent response to the exploding wireless
demand is a necessity.
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/white_paper_c11-520862.html
Wireless Capacity – NOW!
• Scary trends in mobile wireless demand
– 2+ times increase per year since 2007.
– “18-fold by 2016!” Cisco, February 2012.
Opportunistic wireless
networking is well
accepted by the users!
• “More than 80% is landing on WiFi”, http://Wefi.com
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/VNI_Hyperconnectivity_WP.html
Cellular is Full
• “Sorry, America: Your wireless airwaves are full”, CNN, Feb 21,
2012.
Elements of a wireless network
network
infrastructure
Elements of a wireless network
wireless hosts



network
infrastructure
laptop, smartphone
run applications
may be stationary (nonmobile) or mobile
 wireless does not
always mean mobility
Elements of a wireless network
base station


network
infrastructure
typically connected to wired
network
relay - responsible for
sending packets between
wired network and wireless
host(s) in its “area”
 e.g., cell towers, 802.11
access points
Elements of a wireless network
wireless link



network
infrastructure

typically used to connect
mobile(s) to base station
also used as backbone link
multiple access control
(MAC) protocol
coordinates link access
various data rates,
transmission distance
10
11
Elements of a wireless network
infrastructure mode


network
infrastructure
base station connects
mobiles into wired
network
handoff: mobile changes
base station providing
connection into wired
network
Elements of a wireless network
ad hoc mode
 no base stations
 nodes can only
transmit to other
nodes within link
coverage
 nodes organize
themselves into a
network: route
among themselves
Wireless network taxonomy
single hop
infrastructure
(e.g., APs)
no
infrastructure
host connects to
base station (WiFi,
WiMAX, cellular)
which connects to
larger Internet
no base station, no
connection to larger
Internet (Bluetooth,
ad hoc nets)
multiple hops
host may have to
relay through several
wireless nodes to
connect to larger
Internet: mesh net
no base station, no
connection to larger
Internet. May have to
relay to reach other
wireless nodes:
MANET, VANET
Wireless Security Overview
• concerns for wireless security are similar to
those found in a wired environment
• security requirements are the same:
– confidentiality, integrity, availability, authenticity,
accountability
– most significant source of risk is the underlying
communications medium
Wireless Security
• Key factors contributing to higher security risk of wireless
networks compared to wired networks include:
– Channel
• Wireless networking typically involves broadcast communications, which is far
more susceptible to eavesdropping and jamming than wired networks
• Wireless networks are also more vulnerable to active attacks that exploit
vulnerabilities in communications protocols
– Mobility
• Wireless devices are far more portable and mobile, thus resulting in a number of
risks
– Resources
• Some wireless devices, such as smartphones and tablets, have sophisticated
operating systems but limited memory and processing resources with which to
counter threats, including denial of service and malware
– Accessibility
• Some wireless devices, such as sensors and robots, may be left unattended in
remote and/or hostile locations, thus greatly increasing their vulnerability to
physical attacks
Wireless Networking Components
Wireless Network Threats
accidental
association
malicious
association
ad hoc
networks
nontraditional
networks
identity theft
(MAC
spoofing)
man-in-the
middle attacks
denial of
service (DoS)
network
injection
Securing Wireless Transmissions
• principal threats are eavesdropping, altering or
inserting messages, and disruption
• countermeasures for eavesdropping:
– signal-hiding techniques
– encryption
• the use of encryption and authentication
protocols is the standard method of countering
attempts to alter or insert transmissions
Securing Wireless Networks
• the main threat involving wireless access
points is unauthorized access to the network
• principal approach for preventing such access
is the IEEE 802.1X standard for port-based
network access control
– provides an authentication mechanism for devices
wishing to attach to a LAN or wireless network
• use of 802.1X can prevent rogue access points
and other unauthorized devices from
becoming insecure backdoors
Wireless Security Techniques
use encryption
allow only specific
computers to
access your
wireless network
use anti-virus and
anti-spyware
software and a
firewall
change your
router’s pre-set
password for
administration
turn off identifier
broadcasting
change the
identifier on your
router from the
default
Mobile Device Security
• An organization’s networks must accommodate:
– Growing use of new devices
• Significant growth in employee’s use of mobile devices
– Cloud-based applications
• Applications no longer run solely on physical servers in corporate
data centers
– De-perimeterization
• There are a multitude of network perimeters around devices,
applications, users, and data
– External business requirements
• The enterprise must also provide guests, third-party contractors,
and business partners network access using various devices from a
multitude of locations
Security Threats
Lack of physical
security controls
Use of untrusted
networks
Use of untrusted
mobile devices
Use of applications
created by
unknown parties
Interaction with
other systems
Use of untrusted
content
Use of location
services
Mobile device is
configured with
security mechanisms and
parameters to conform to
organization security policy
Mobile device
configuration
server
Traffic is encrypted;
uses SSL or IPsec
VPN tunnel
Application/
database
server
Authentication/
access control
server
Firewall
Firewall limtts
scope of data
and application
access
Authentication
and access control
protocols used to
verify device and user
and establish limits
on access
Figure 24.2 Mobile Device Security Elements
IEEE 802.11 Terminology
Wireless Fidelity (Wi-Fi) Alliance
• 802.11b
– first 802.11 standard to gain broad industry
acceptance
• Wireless Ethernet Compatibility Alliance
– industry consortium formed in 1999 to address
the concern of products from different vendors
successfully interoperating
– later renamed the Wi-Fi Alliance
Wireless Fidelity (Wi-Fi) Alliance
• term used for certified 802.11b products is Wi-Fi
– has been extended to 802.11g products
• Wi-Fi Protected Access (WPA)
– Wi-Fi Alliance certification procedures for IEEE 802.11
security standards
– WPA2 incorporates all of the features of the IEEE
802.11i WLAN security specification
IEEE 802 Protocol Architecture
General IEEE 802 MPDU Format
MAC Protocol Data Unit
IEEE 802.11 Extended Service Set
IEEE 802.11 Services
Distribution of Messages Within a DS
• the two services involved with the distribution
of messages within a Distribution System are:
distribution
the primary service used by stations to
exchange MPDUs when the MPDUs must
traverse the DS to get from a station in one
BSS to a station in another BSS
integration
service enables transfer of data between a
station on an IEEE 802.11 LAN and a station
on an integrated IEEE 802.x LAN
Association-Related Services
• transition types, based on mobility:
– no transition
• a station of this type is either stationary or moves only within the
direct communication range of the communicating stations of a
single BSS
– BSS transition
• station movement from one BSS to another BSS within the same ESS;
• delivery of data to the station requires that the addressing capability
be able to recognize the new location of the station
– ESS transition
• station movement from a BSS in one ESS to a BSS within another ESS;
• maintenance of upper-layer connections supported by 802.11 cannot
be guaranteed
Services
• association
– establishes an initial association between a station
and an AP
• reassociation
– enables an established association to be transferred
from one AP to another,
• allowing a mobile station to move from one BSS to another
• disassociation
– a notification from either a station or an AP that an
existing association is terminated
Wireless LAN Security
• Wired Equivalent Privacy (WEP) algorithm
– 802.11 privacy
• Wi-Fi Protected Access (WPA)
– set of security mechanisms that eliminates most
802.11 security issues
– based on the current state of the 802.11i standard
• Robust Security Network (RSN)
– final form of the 802.11i standard
• Wi-Fi Alliance certifies vendors in compliance
with the full 802.11i specification under WPA2
802.11i RSN security services
• Authentication: between a user and an Authentication
Server that provides mutual authentication and
generates temporary keys to be used between the client
and the AP over the wireless link
• Access control: enforces the use of the authentication
function, routes the messages properly, and facilitates
key exchange
– It can work with a variety of authentication protocols
• Privacy with message integrity: MAC-level data are
encrypted along with a message integrity code that
ensures that the data have not been altered
Elements
of
IEEE 802.11i
IEEE 802.11i Phases of Operation
IEEE
802.11i
Phases
of
Operation
802.1X Access Control
MPDU Exchange
• authentication phase consists of three phases:
– connect to AS
• the STA sends a request to its AP that it has an
association with for connection to the AS;
• the AP acknowledges this request and sends an access
request to the AS
– EAP exchange
• authenticates the STA and AS to each other
– secure key delivery
• once authentication is established, the AS generates a
master session key and sends it to the STA
IEEE 802.11i
Key
Hierarchies
IEEE
802.11i
Keys
for Data
Confidentiality
and Integrity
Protocols
Phases of
Operation
Temporal Key Integrity Protocol (TKIP)
• designed to require only software changes to
devices that are implemented with the older
wireless LAN security approach called WEP
• provides two
services:
message
integrity
adds a message
integrity code to
the 802.11 MAC
frame after the
data field
data
confidentiality
provided by
encrypting the
MPDU
Counter Mode-CBC MAC Protocol (CCMP)
• Intended for newer IEEE 802.11 devices that
are equipped with the hardware to support
this scheme
• Provides two
services:
Message
integrity
Uses the cipherblock-chaining
message
authentication code
(CBC-MAC)
Data
confidentiality
Uses the CTR
block cipher mode
of operation with
AES for encryption
Pseudorandom Function
Summary
• Wireless Security
– Wireless network threats
– Wireless security measures
• Mobile device security
– Security threats
– Mobile device security strategy
• IEEE 802.11 wireless LAN
overview
– The Wi-Fi alliance
– IEEE 802 protocol
– IEEE 802.11 network
components and architectural
model
– IEEE 802.11 services
• IEEE 802.11i wireless LAN
security
•
•
•
•
•
•
•
IEEE 802.11i services
IEEE 802.11i phases of
operation
Discovery phase
Authentication phase
Key management phase
Protected data transfer phase
The IEEE 802.11i pseudorandom
function
Related documents
(P1) How networks communicate
(P1) How networks communicate
88% 73%
88% 73%
Polytel® Remote Data Termininal (RDT)
Polytel® Remote Data Termininal (RDT)
The Internet is a global communication network which acts as a
The Internet is a global communication network which acts as a
Wireless Monitoring System
Wireless Monitoring System
Security challenges in the lighting use case
Security challenges in the lighting use case
GenerationOne Acquires Hybrid-Four
GenerationOne Acquires Hybrid-Four
Network - Missouri State University
Network - Missouri State University
challenges of a connected world
challenges of a connected world
Computer Networks
Computer Networks
Downlaod File
Downlaod File